The Tag Check

We discuss here the sub-routine ZeroTest, meant to check whether some shared value [x] is equal to zero or not. A straightforward way to do this would be to simply open [x]; however, in the actual scenario this value will be equal to [γ(z)]−z˜[α] for some shared valuehzi, and the adversary could select any non-zero value ∆z and let ˜z=z+ ∆z, so that opening [γ(z)]−z˜[α] = ∆z·[α] would actually let the adversary learn the global key α. This is no problem in a stand-alone execution of the protocol, since this action would lead to a commitment check (and thus to the identification of a cheater without any need for the keyα); however, we find it desirable to avoid leakage of the secret key. In this way, αand and the pre-processing material can still be used in, for instance, the execution of another instance of the protocol. We thus devise a sub-routine that does not leak the value ofα.

ZeroTest:

The protocol takes as input a shared value [x].

(i) Players select a random shared valuehriand a fresh multiplication triple (hai,hbi,hci).

(ii) Players compute [rx] with multiplication triple (hai,hbi,hci) as de- scribed in Section 5.2.4, but with a different communication model: instead of sending their data to a king player that acts as a relay, they will broadcast a commitment to it, then open all the commit- ments before moving to the next round.

(iii) Each playerPj broadcasts a commitmentCommit((rx)j) to his share

of [rx], then all commitments are opened, so that players obtainrx.

(iv) Output>ifrx= 0, ⊥otherwise.

We first prove that the subprotocol is correct and sound:

Lemma 5.3.5 (Correctness and Soundness of ZeroTest). ZeroTestsat- isfies the following properties:

• Correctness: if players follow the instructions of the protocol,ZeroTest([0]) =

>with probability 1.

• Soundness: consider the joint distributionp(x, v0), wherev0denotes the

adversary’s view before the execution of ZeroTest; then

p(ZeroTest([x]) =>)≤1/q+pguess(x|v0).

Furthermore, if x= 0butb=⊥, then a dishonest player has broadcast an incorrect version of a value to which he is committed by means of a linear combination of the commitments produced in the pre-processing phase.

Proof. - Correctness: trivially,ZeroTestwill open [r·0] = [0].

- Soundness: by definition of the protocol, the output ofZeroTest([x]) is equal to >if and only if b= 0, where

whereris a variable uniformly distributed and independent ofx,x,˜ ˜rand ˜y, and the variables ˜r,x˜and ˜y are chosen by the adversary, and are thus determined by his current view (since we can assume without loss of generality that the adversary is deterministic).

By the law of total probability, we have the following equality:

p (r−r˜)(x−x˜)−y˜= 0

=X

ˆ

v0

p(v0= ˆv0)·p (r−r˜(ˆv0))(x−x˜(ˆv0)) = ˜y(ˆv0)|v0= ˆv0

We focus on the element p((r−r˜(ˆv0))(x−x˜(ˆv0)) = ˜y(ˆv0)|v0 = ˆv0); we can

assume that ˜y(ˆv0) = 0, since this clearly yields the highest probability. Notice

that p (r−r˜(ˆv0))(x−x˜(ˆv0)) = 0|v0= ˆv0 ≤p r= ˜r(ˆv0)|v0= ˆv0 +p x= ˜x(ˆv0)|v0= ˆv0 ≤1/q+ max ˆ x p x= ˆx|v0= ˆv0

This implies that

p (r−r˜)(x−x˜)−y˜= 0 ≤X ˆ v0 p(v0= ˆv0)· ₁ q + maxxˆ p x= ˆx|v0= ˆv0 ≤1/q+X ˆ v0 p(v0= ˆv0)·max ˆ x p x= ˆx|v0= ˆv0 = 1/q+pguess(x|v0)

Finally, notice that since ZeroTest only uses broadcast for communication, all incorrect values submitted by players are now public; hence if x= 0 but

b=⊥, then a dishonest player must have submitted a false value during the multiplication ofrandx, and thus he will be exposed when the commitments on these values are checked.

Finally, we need to discuss the privacy of ZeroTest; we first remark that Defi- nition 5.3.2, formalizing our privacy notion, yields the following consequences:

Remark 5.3.1. Assume that theuniformdistributionxis a list of sizemgiven

v; we then have the following properties:

(ii) p x=y|x /∈`

≤1/(q−m) for any y =y(v) (consequence of (II) via the law of total probability).

Furthermore, letrbe a random variable independent of bothv andx, and set

v0 := (v, r). Then it trivially holds that ifp(x, v) satisfies the above definition, then so does p(x, v0).

Lemma 5.3.6 (Privacy of ZeroTest). Given an abstract pair of random variables (x, v0), where v0 denotes the adversary’s view, assume that the uni-

form distribution ofx givenv0 is a list of size m0. Then after the execution

of ZeroTest([x]), the distribution of x given v is a list of guesses of size at most m :=m0+ 1, where v denotes the adversary’s view after the execution

of ZeroTest.

Proof. By looking at the instructions to compute and open [xr] toPi, we see

that what the adversary can learn the following values (plus random sharings of them): γ:=x−a,δ:=r−b andπ:= (r−r˜)(x−x˜), wherea,bandrare jointly uniformly distributed and independent of each other and ofv, x,x,˜ r˜. ˜x

and ˜rare chosen by the adversary, and are thus determined by his view (since we assume without loss of generality that the adversary is deterministic). Now given the adversary’s view v0 before the execution of ZeroTest, the

adversary’scurrentview is equal to (v0, γ, δ, π); notice thataandbare (jointly)

random and independent of x, r, v0 and π, and thus so are γ = x−a and δ=r−b, so that we may restrict the view tov:= (v0, π) (cf. Remark 5.3.1)7.

Now by inductive hypothesis, there exists a conditional distribution p(`0|v0)

such that properties I and II hold for p(x, v0, `0) := p(x, v0)·p(`0|v0); in a

natural way, we define the new distribution to be

p `= (x1,· · · , xm0, xm)|v :=p `0= (x1,· · · , xm0)|v0 ·p x˜(v0) =xm|v0 .

Clearly, elements in the range of` are lists of sizem=m0+ 1 of elements in

the range ofx.

We now prove that properties I and II hold for p(x, v, `): first of all, notice that p(x∈`) =p(x∈`0) +p(x= ˜x(v0)|x /∈`0)·p(x /∈`0); hence thanks to

properties (i) and (ii) of the Remark 5.3.1 we have that

7_{For the same reason, we omit here the fact that the view also contain random sharings}

p(x∈`) =p(x∈`0) +p x= ˜x(v0)|x /∈`0·p(x /∈`0) ≤m0/q+p x= ˜x(v0)|x /∈`0·(1−m0/q) ≤m0/q+ 1 q−m0 ·q−m0 q = (m0+ 1)/q=m/q

Hence property I holds; we can thus focus on property II. As a first step, notice that if x /∈ `ˆ, then in particular x6= ˜x(ˆv0); hence we can re-write π = ˆπ as r = ˜r(v0) + ˆπ/(x−x˜(ˆv0)). Hence since r is independent of x, v0 and`0, we

obtain the following equalities:

p x|(v0, π) = (ˆv0,πˆ), `= ˆ`, x /∈`ˆ=p x|v0= ˆv0, `0= ˆ`0, x /∈`ˆ0, x6= ˜x(ˆv0)

=p x|x /∈`ˆ0, x6= ˜x(ˆv0)

which means that property II holds.

We discuss in the next section how to securely share the inputs of the players and reconstruct the output of the circuit.